Monday, February 18, 2008

Most of you that read this will probably not have read one of my earliest posts. I talk about the compelling event which made me decide to start blogging. I'll summarise it for those that don't feel like reading it (it's quite lengthy):

My bank really annoyed me because they called to ask some questions about my credit card application. But before telling me what it was about, they proceeded to ask a bunch of questions so that I could validate myself to them.

Why is this so wrong? First of all, they called me. They should be the ones that need to validate themselves before I need to validate myself. For all I know, it could have been a phishing phone call. As security professionals, we should know better...which is why I was so annoyed at myself for capitulating before realising what I had done. The ideal situation would be some form of mutual validation of both parties (I propose a way to do this in my post). Most banks do this...which is completely idiotic. How can they say they are trying to protect their customers when one of their fundamental processes exposes us to phishing scams?

The other day, my mobile phone service provider called me (it turned out they were trying to sell me something) and did a very similar thing. This time, I knew it was them because of the caller ID (which was authentication enough for me because that's much harder to spoof), so I gave up my details when they did the "please allow us to validate you first". The only problem was that they made me give up my PIN, which is actually in full view of the call centre employee...this is another problem altogether. Identity theft anyone? (Side note: My Internet provider also does the same thing. They ask for the first 4 characters of my password - hopefully the call centre person cannot see the rest of it). But this is another topic for another day (maybe).

The phone call brought back memories of my whole bank validation incident, but this time I had an additional thought (I'll get to that...read on).

Until the banks and other organisations that deal with consumers (and have to store/use our details) wake up and fix their processes to better protect the average non-security aware user (because good security is very much about education and awareness), we're going to have to continue to deal with them in this way and "validate" ourselves. If we can't change the way they interact with us, we can at least force a level of mutual validation/authentication and protect ourselves somewhat.

How? Next time an organisation calls and proceeds to say that they need to validate they are talking to you, just give them the wrong answer. If they are who they say they are, they'll say "I'm sorry sir/madam, but I'm afraid that's incorrect". Someone phishing for your details will accept that wrong answer as being correct. Now why didn't I think of that earlier?!

Here's the added bonus. Had I done this to my mobile phone service provider, I would have been able to say (rather gleefully I might add): "Too bad, I can't authenticate myself so you can't sell me anything."

RSA's cash cow for years has been the token stuff (SecurID). And as a tie into this, all the smart card and PKI products. They also have a decent market share in the enterprise access management space in the form of Access Manager (previously known as ClearTrust). As an extension to this, they have a Federation product. Heck they even have a data security solution via their acquisition of Tablus last year.

I recently talked about how I think that identity and data will inevitably collide and need to be integrated somehow, so EMC seems to be positioning themselves to address this. They'll surely also tie this in nicely (at least from a marketing standpoint) with EMC's data and storage solutions. The problem is that for years, RSA has had a great big hole in the identity space. They still do. What is it? Come on, it's obvious. If you want the answer, read on.

RSA don't do identity provisioning. They used to address this great big hole via a partnership with Thor until Oracle came along and screwed up the party by buying Thor.

This partnership with Courion looks to be a step towards filling that gap once again...and with the might of EMC behind them, can an acquisition of Courion be far behind? If they wait too long they may end up making the same mistake twice and having the Oracle/Thor thing happen to them a 2nd time.

If EMC want RSA to be a serious player in the security marketplace moving forward, they need to do it. At the moment, they are a long way behind Oracle, IBM, CA, Sun and Novell in this respect...unless you just want those RSA SecurID tokens.